Someone has hacked into your email account and spammed everyone in your address book. It can leave you feeling embarrassed and sorry about the annoying, or even possibly destructive, email that has gone to all of your friends and family. Odds are, if it hasn’t happened to you, it will. It’s happened to me twice over the period of about fourteen years. If it hasn’t happened to you yet, it’s not a bad idea to read this to keep it from happening.
How can you tell if your email account has been hacked?
Here are the signs:
- You see lots of bounced messages that you didn’t send in your inbox.
- You are locked out of your email account.
- Your email provider has told you that someone else is using your account.
- You are getting emails from people stating that they got a strange email from you. (You won’t necessarily see any emails in your Sent Items folder. The hackers can easily erase these.)
If this sounds like your situation, you’ll need to block out some time right now to deal with it.
The First Thing You Need To Do
If you are locked out of your email account, go through the process to re-activate it. For example, for Microsoft Hotmail/Live Mail, when you try to log back in you’ll be directed to click a button which will email you a security code (to a different email account) that will allow you to get back into your account.
Once you regain control, your top priority is to change your email password. Pick a new password with upper and lowercase letters, numbers, and a symbol, if allowed. Make it at least ten characters. Write it down on a piece of paper. You can change it to something else later.
Warn Your Contacts
Next, take a look at one of the bounced emails. If it simply contains a website link, that is the best-case scenario. This is simply an annoyance and won’t cause any permanent damage to the people you’ve unintentionally spammed. Move to the next step.
If, on the other hand, it contains a file attachment (perhaps that you clicked on?) or if it is a phishing scam (i.e., a personal message that seems to come from you asking for something), this is a worse situation that can cause your friends and family financial damage. You probably should follow up and email all of your contacts to tell them not to click on anything in the previous email from you. Yes, I know this is a huge pain if your address book is large (which is why I recommend pruning your contact list below). You can also quickly post to your friends on Facebook to warn them not to open a strange email from you.
Your Password Strategy
If your email account was hacked from the web, someone now knows your email address and the password that goes with it. Not good. You’ll have to change these passwords.
I recommend using three passwords. Choose a good, secure base password, and use a slight variation of it for each of your most important critical sites such as your email accounts, bank sites, credit card sites, and social networking sites. Pick another password to use for medium critical sites like shopping websites. You can use the same password for each of these. Finally, pick a third “throwaway” password to use for amateur sites, informational sites, or sites where you don’t care if someone else logs in as you. Write these passwords down.
Why is the “throwaway” password important? Imagine how easy it would be to set up a website promising, say, a chance to win a free iPad, if you just log in with your email address and password. This site could harvest passwords, which a hacker could later try to use on Amazon or a bank or whatever. That’s why this throwaway password is important. If you suspect that a site looks amateurish and is not from a major well-established company, don’t use your prized high-security password on that site.
Okay, back to the cleanup effort. You should immediately change the passwords for any sites that use the same email address and password as the account that was hacked. Start with critical sites like bank sites and credit card sites. As I mentioned, use a slight variation of your high-security password for these sites, so that each site has a slightly different password. Next, move onto shopping sites that have your credit card info stored.
As you’re going through sites and changing passwords, try to delete your account completely if you don’t plan to use that website again. Sadly, most sites don’t allow you to do this (kudos to companies like Ikea that do!) If not, do the next best thing, which is to delete your credit card info. I haven’t encountered a shopping website that doesn’t let you do that. Then if someone gets your email/password combo, at least they won’t be order a bunch of stuff compliments of you. Always decline the offer to store your credit card info on any website.
Using different email addresses for different types of sites can give you an extra layer of protection. For example, if you have an email address that is posted publicly (like in a comment wall, blog, or bulletin board), avoid using that email address as your login for critical banking sites.
Beef Up Your Antivirus
On to the next step. These days, most email incursions come from the web, meaning that it had nothing to do with your physical computer. Someone (or perhaps a computer program that someone wrote), was able to guess your password and log into your email account through the web. If you use a Mac, or if you don’t use a desktop email program like Outlook or Live Mail, or if your computer was off at the time of the attack, the incursion probably happened on the web.
If, on the other hand, the attack came from a virus on your computer, or perhaps an email attachment you clicked on, you need to get your antivirus protection up-to-date. If you’re not sure which kind of attack happened, it’s not a bad idea to update your antivirus protection anyway. Microsoft offers a good, free, antivirus program called Microsoft Security Essentials. Make sure the antivirus profiles are up to date, then do a scan of your computer.
Next, update all of those programs that have been bugging you to be updated, like Adobe PDF Reader, Internet Explorer, etc. Those updates often have security fixes. Get the latest versions of everything. Run Windows Update if you are a PC user.
Congratulations. You’ve now stopped the bleeding. You’ve probably spent about a half a day or more dealing with this nightmare. There is more to do, but these are not as urgent and can be done when you have some spare time. Go back to work or whatever you need to do for the rest of your day.
Prune Your Contacts/Address Book
When you have some time, back up your email contact list (or address book as it is sometimes called) to a “CSV” file which you can read using Excel. In Windows Live Mail, you do this by going to your address book, then clicking on “Export”. Save this file to a safe place on your computer.
Then, start going through your contact list and deleting people that you don’t feel like you’ll need to contact anymore. You might be surprised that you don’t even know who some of those people are! Go ahead and delete liberally because you have that backup file which you can always search if you need their contact info. This will minimize the damage to other people if you ever get hacked again. My contact list had ballooned to over six hundred people, and I was able to get it down to less than two hundred.
Clean Out Your Inbox
If the attack came from the web, it is possible that the hackers could see your entire email inbox. If you are like many people, you might have hundreds of emails in there with bank statements, account numbers, and other sensitive information. Move these emails to a local folder on your computer (not a folder on your email server!). Oh, and don’t forget to clear out your outbox and deleted items as well!
Protect Your Facebook Account
Having your Facebook account hacked is another disastrous ordeal that can cause lots of embarrassment and damage. It makes sense to take special precautions here. First, use a variation of your “high security” password for your social networking sites. Second, Facebook has a feature where it will send you an email if someone logs in from a new computer, so at least you’ll know if your account was hacked. Turn this on by clicking the triangle at the upper right corner of the page, selecting Account Settings, and then clicking on Security. Click on Edit next to Login Notifications and turn it on for Email. That way, if anyone hacks into your Facebook account, you’ll be notified immediately by email.
Good Habits From Now On
You’ve now shored up your defenses against getting your email account hacked. But, moving forward, there are some good habits that you should start.
First, remember when to use your three types of passwords: high security for financial sites and email sites, medium for stores, and low for amateur sites and newsletters that don’t involve sensitive information.
Second, record all of the sites that you create accounts for, and which of the three passwords you use. Personally, I created a file on my computer that has this info, but I don’t actually write down the passwords verbatim. I just give hints as to which password goes with each site. So, even if someone got a hold of that file, they couldn’t get into my accounts.
Third, avoid storing your credit card info on any shopping sites, as convenient as that may be.
Fourth, avoid posting your main email address online, for example, in a comment wall or forum. Instead, use a different email account for that.
Next, a word about using your Google, Twitter, or Facebook account to log into websites. Some people are staunchly against giving these companies more power over their lives lives. Personally, I like the convenience of not having to type in yet another password. When you log into a website or app using your Facebook account, you are giving that app your login name, your real name, your picture, your gender, and your preferred language. All of this info is publicly available anyway. However, if the website requires additional information like permission to post on your wall or your email address, or even your birthday, I run away as fast as I can. Another argument against this is that if your Facebook account gets hacked, then the hackers also can get into these other sites. I see this as sort of a good thing, because it compartmentalizes your accounts. In other words, if someone hacks your non-Facebook password, then the sites you log into using Facebook are protected. I leave this ultimately for you to decide for yourself.
Your Cheat Sheet
Here is a step-by-step cheat sheet summarizing everything I’ve talked about:
To do right now:
- If your email provider has frozen your account, go through the steps to reactivate it.
- Change your email password right now to something more secure (i.e., using upper and lowercase letters, numbers, and a symbol or two, at least ten characters).
- If the email that was sent out is a phishing scam or had an attachment, warn people about it after you regain control of your email account. Warn your friends on Facebook posting that your email was hacked and they should not open a recent email from you.
- Change the passwords for any other important sites that use the same password as the one that got hacked. Erase your account on websites that you don’t use anymore, if that is an option. Remove any credit card information stored on websites that you still use, or can’t delete.
- Determine if the intrusion was through a virus or through the web. If a virus, then make sure your antivirus software and profiles are up to date, then run a scan (if you’re not sure, do it anyway). Also, make sure the software on your computer is up-to date. On a Windows machine, run Windows Update.
To do when you have a chance:
- Back up your email address book, then pare it down to those you still correspond with.
- Clean out your email inbox.
- Set up Facebook to inform you of logins from different computers.
To do in the future:
- Remember when to use the three types of passwords.
- Record what sites you log into and which passwords you use for them, using hints, not the password verbatim.
- Never store credit card info on a site, despite the convenience of doing so.
- Avoid displaying your primary email address online.
- Keep your inbox, outbox, and deleted items email folders as small as possible.
- Avoid using public computers to check email or anything else that requires a password.
If not convinced about the need to do all of this, read this article about an epic hacking that could happen to anyone..
Hope this was helpful!